The release of Apache 2.4.58 has been published. This new version includes 33 changes and addresses three vulnerabilities, two of which are related to potential denial-of-service (DOS) attacks utilizing the HTTP/2 protocol.
The first vulnerability, identified as CVE-2023-45802, is caused by the delayed release of memory after discarding an HTTP/2 package with the RST flag. This can lead to significant memory consumption as attackers can continuously send new requests and discard them with an RST packet, without closing the connection.
The second vulnerability, CVE-2023-43622, can result in an endless blocking of HTTP/2 connections if they were open with an initial window size of 0. This can be exploited to exhaust the maximum allowable number of open connections, causing a denial of service.
The third vulnerability, cve-2023-31122, affects Mod_macro and allows reading data from regions outside the allocated buffer.
Among the non-security related changes in Apache 2.4.58:
| Module | Description |
|---|---|
| Mod_http2 | Added support for WebSocket Protocol on top of the HTTP/2 stream, following RFC 8441. The WebSocket feature can be enabled using the directive ‘H2WebSockets on | OFF’. |
| Mod_http2 | Introduced the ‘H2Earlyhint Name Value’ directive to include “103 Early Hints” headers in the response. |
| Mod_http2 | Added the ‘H2Proxyrequests ON | Off’ directive to control the inclusion of HTTP |